If the topic hasn’t yet landed in a boardroom, it will - especially after a serious event. We see the story repeatedly: boards look the other way until ransomware strikes. The financial fallout is devastating. Share prices drop. Insurance premiums soar. Crippling fines are levied. But this is only the start. The aftershocks arrive later.

Boards know that cyber risk is a financial and even existential threat. They also face increasing pressure from regulatory frameworks: NIS2, GDPR, and DORA.¹ Neglect is a governance failure and a board liability. But is this rising awareness translating into action? Why are CISOs so often disempowered, even today?

To make real progress, an entire company must become risk‑aware. One click on a phishing link can be catastrophic. This year, helpdesk staff at Dutch telecoms provider Odido did exactly that. In 2025, a cyber-attack on the University of Eindhoven went undetected for five days, virtually paralysing it for a week.² A report described the university’s response as ‘exemplary’. But it also signaled security shortcomings. The lapse was even more astonishing as the University of Maastricht had suffered a malware attack in 2019, resulting in a ransom payment of 200,000 euros in bitcoin – a ‘devil’s dilemma’ for the board.³

Failures can have a ripple effect. Consider Trivium Packaging. In 2021, a cyberattack shut down production in Spain⁴ disrupting customer supply chains. Trivium’s cybersecurity head later described how the breach had sparked an overnight change in risk appetite, and a major transformation.⁵ “We had some really old, really bad practices. As long as we could make cans, nobody really cared what was happening.” No wonder major consumer brands now require their suppliers to meet their own cybersecurity standards.

AI introduces still more risks, and CISOs must understand the evolving regulation,⁶ even if they share responsibility with the Chief Legal or AI Officer. During early internal testing, the GenAI recommendation bot of a major e-commerce fashion platform produced unsafe or inappropriate product suggestions, including scissors and knives. Headed by its CISO, the security team ran 80,000 adversarial prompts to test the model’s guardrails.

The aftershocks of sub-par cybersecurity are deep and resonant. A serious trust issue, they erode customer confidence and damage brands. They trigger investor activism and reduce M&A value. In private equity, cyber maturity directly influences valuation and exit readiness.

But there are bright spots. Dutch telecom company KPN exemplifies the potential of good cybersecurity practice to deliver not only systemic enterprise risk management, but value creation. Its CISO reframed cybersecurity across the whole organization, enabling KPN to go one step further and turn its internal cybersecurity focus outward. Today, KPN Security is the largest supplier of cybersecure solutions in the Netherlands, serving SMEs, corporates, and the government.

The 4-dimensional CISO: Risk translator, strategist, board educator, and culture shaper.

And yet, so many boards fail to position CISOs correctly, giving them the right mandate, authority, resources, and access to external expertise. Reporting directly to the board, a CISO must work across the C‑suite: the CEO, CIO, COO, CLO, and CFO. To anchor an organization-wide cybersecurity culture, learning and development, the CHRO is just as essential. Boards need training too - ‘tabletops’ - crisis simulations of mock breaches, full scenarios, even TV cameras to train CEOs on how to respond publicly.

Where do we find the CISO for what’s next? They operate in the public and private sector, telecoms and banking, retailers and airlines, pharmaceuticals, and life sciences. As the Trivium case illustrates, manufacturing and supply-chain-driven business demand particular OT⁷ security skills. Every industry has its own dynamics. Designing a CISO role profile is high‑stakes and specific.

But one factor spans sectors - organization design. Top candidates will scrutinize your ecosystem. The best won’t move without the authority to make change happen. If your CEO hires a CISO with a mandate to strengthen resilience, you’ll have their attention. If your CIO hires them into a weak position with no first line of defense or their own skilled security team, they’ll turn away.

When culture meets money

All of this means that the CISO is a people‑oriented role. CISOs must train the entire organization not to fall for phishing and must use engaging methods such as gamification to build a resilience culture. They must also speak the language of EBITDA, risk appetite, investment trade‑offs, and business continuity, not just firewall specifications. And when it comes to value creation, KPN demonstrates how cybersecurity can become a commercial differentiator – a revenue-generating mark of trust and safety.

The broader question is no longer whether boards should be involved in cybersecurity, but whether they understand the real stakes. Cyber maturity equals business maturity.